Convergence Across Identity, Authentication and Open Banking

Perhaps we can start by introducing yourselves, the company you work for, and maybe a bit about yourself and then we can continue the panel session. We got it, Nick. Sure. I'm Mark Hayne. I wear many hats. The hats I'm wearing at this event is as a member of the Open ID Foundation. I'm also an independent consultant.

And yeah, I've been around this space a little while. I started off doing financial services operations and a stock broker. I've moved through various banking roles, you know, operational into design and architecture, largely on the kind of technical engineering and security networks and application architecture. And through all of that, I ended up doing open banking, which brought me into the Open ID family in some manner to begin with, maybe four or five years ago, which then led me on into the digital identity space more directly.

I'm now a co-chair of a couple of working groups in the Open ID Foundation and a board member of the Open Identity Exchange. I'm Juliana Catholic.

I am, pardon me, other than Jet Lagged, I am a member of the Microsoft Identity Standards team. I have a, I'm very relatively new there. Less than a year prior to that, I come into identity from a very strange trajectory. My initial foray into tech was coming into the ski industry, literally building access control systems for ski resorts all over North America and into Europe where we had to marry identity before it was popular with payment and make it non repudiated and subsecond before there were wireless networks and before there was any kind of cloud. So that literally was rocket science.

And I spent the rest of my career about 27 years building innovative solutions for payment, where again, identity was all released at the intersection, all the way up to literally building mobile wallets for telecommunications companies so they could have their users pay their bills directly from the bank account in 1990. So this, I'm dating myself. So when I was asked to build a high assurance digital wallet that included both payment and identity about eight years ago, I understood the rules for payment.

I understood the rules for banking, I understood all the certifications and assessments I'd have to go through, but I was looking for the rules for identity and I could not find any. And I was literally losing my mind because I was used to being in a regulatory environment. So I threw myself into identity, looking at everything I could. I volunteered for diac, became co-chair of the Chiefer Trust Framework Expert Committee, helped build the component and lead the component for the digital wallet, as well as revise their security and infrastructure component and their trust registries component.

And I had the good fortune of stumbling into Microsoft. So here I am.

Hello, Daniel Gold. I am one of the co-founders and used to run a company called yes.com, which is an ecosystem of about 1000 banks in Germany who are using this ecosystem, both as a technical framework as well as a scheme to make identity and payment information.

You know, account information available and late last year started an initiative called Open Wallet Foundation, which formally incorporated in February of this year. And the Open Wallet Foundation is basically a safe space for for-profit companies, non-profit companies, government officials, to come together and create open source software for secure and interoperable wallets. My name's Heather Flanagan, like Mark, I am also a mercenary.

Currently I have several different roles, one of which is published a paper last week with the Open ID Foundation and several other organizations on government issued digital credentials and privacy. But I also tend to collect standards organizations, kind of like Pokemon. I was the RFC series editor for eight years and I'm currently a W three C community group chair for the Federated Identity Community Group. I've also worked with canara, I worked with diac early on. I love to have conversations with nist.

Really, if there's a standards organization, I just, I just find them very exciting, which means I think I need to get out more, but that's, that's part of what I'm bringing to the discussion today. Thank you.

Hi, I'm Nick Mother Short. I, I'm, I'm also a kind of semi mercenary, I guess not entirely. I have a number of roles. So I'm Chief Identity Strategist at the Open Identity Exchange. I'm also program manager on a thing, which is now in, called Id Connect in the uk, which is a new scheme to connect, relying parties to multiple identity providers. So I explained that cause I think we'll be touching on that as part of the panel as we move forward.

I mean my, my career and identity started many years ago in my late twenties dealing with hiding identities. So I started on the other end informant management, managing people who were doing covert operations. And then I went into general intelligence management, crime pattern analysis biometrics in 2000, 2001 I was doing biometric detection with watch lists as people walked through air airports looking for terrorists. And then moved into fraud designed the, the Hunter Fraud Management system, which is used around the globe to detect fraud in financial and insurance applications.

And that's an anomaly. Rules matching now uses machine learning to, to find fraud anomalies. From there moved in back into identity in terms of positively identifying lots of people as opposed to trying to identify criminals. And From there in traditional identity, so around seven or eight years ago, I already got into digital identity when I first presented the concepts of digital identity, I think it was in 2008, it was the year I worked for Experian at the time.

And it was the year we demerged and I almost take going to the C CEO at the time and said, look, we've got this great idea for digital identity. And he was like, nah, nah, he's gonna pay for that. People are never gonna pay for that. I was like, well, we already sell identity information.

You, it's the same thing. You're, you're delivering the information, but in a better way. And since then I've been really interested in it going involved in the open identity exchange, became chair there. And around 2019 I wanted to leave and concentrate solely on digital identity rather than big corporate strategy, which is where I got stuck. And you know, I've been living it ever since. So thank you panelist.

I'm, I don't know if we actually let you know, colleague over there that I was going to moderate the panel. I've got a bunch of stuff here lined up. So first thing to say, just as a reminder for everybody, this panel's entitled Convergence Across Identity, authentication and Open Banking. And we're gonna try and unpack that a little, see if we can find opportunities and threats and, and I hopefully have a very stimulating conversation about, about how that might be something that we discover over the next few years as a, as a useful solution to some problems.

So the first one that we were going to discuss, and I'd be interested to hear your opinions on is, are these topics something that are fit for convergence? So who would like to open on that topic? I'll lean into that, I suppose. So convergence, I'm, I'm gonna focus on the wallet as the convergent point for identity and financial services.

I'm gonna, I'm gonna blanket open banking with financial services that include things like payment, getting a mortgage, buying insurance, all of those things. I'm gonna lump them into the financial services side. All of the financial services use cases require identification. It's regulated.

There are, it's steeped in process, steeped in risk management, not only regulations, but risk management that are determined by the teams at the, within the banks themselves. There is an incredible amount of process between the identification of an individual or identity and their ability to access financial services and be able to use them. And then reciprocally for parties like merchants or insurance companies, title insurance companies, mortgage lenders, et cetera, for them to be able to trust that this individual that had been identified by their bank is in fact who they are.

And, and that part, the convergence part for identity in this context is can identity in terms of verifiable credentials, identity in terms of a government issued identity from an external source that is not part of the bank's K Y C process or know your customer process, can that be accepted and relied upon and meet the risk requirements for a bank in order to provision financial services? That is, in my mind, the convergence point.

So I probably would not have picked the, the word convergence, which as an fyi, none of us here have actually picked, but I, I think there is definitely an overlap. So when you look at the financial services industry and identity bank ID is actually here, you know, both people from bang Sweden as well as Bangai Norway.

And they are showing how successful banks can be as identity providers for a very simple reason, you know, you may be Joe Schmo on Facebook, but your bank typically has a much better idea who you are, what your date of birth is, you know, they know about your, your citizenship and so on and so forth. So I think services like bank, ID have proven already, you know, more than a decade ago, that banks can be amazing identity providers and bank ID is also used in many cases for authentication. We did something like that in Germany as well with, as I said, about a thousand banks.

And I think banks are naturally born IDPs now we are starting with a new paradigm. You mentioned wallets, and in the wallet world, the dynamics are going to be a little bit changed.

You know, the first question is, who's going to issue to publish that wallet? And some countries and some jurisdictions will allow anyone to publish a wallet that lives up to certain standards. And so banks and the financial services industry in some countries may actually decide that they want to publish a wallet. In some areas, the, the government will probably decide that they are going to have a monopoly on the, the root identity that basically it's the function of the government to supply a digital version of your identity card or your, your passport.

In some countries, maybe the country will say, you know, actually I'm not comfortable doing that, or at least not comfortable doing that yet. And so banks may in addition, or instead of publishing the wallet, also publish identity credentials. And even if a country decides that it's really the country that should publish the wallet and the country that is going to issue the identity credential, there will be roles and opportunities, I think for banks to issue other credentials.

For instance, you know, tokenized credit cards, tokenized debit cards, or a token that gives you access to a bank account. So, you know, convergence to me sounds a little bit like everything is coming together and becoming almost one. I don't think that, you know, banks are going to have quite as central a role, but I do think that banks are going to have a, you know, a role to play. I think there's, there's picking up on what, what you're saying there, Daniel, I think there's, there's a question about will, will they, in my mind anyway, will they converge?

So if I end up with a government deciding it's going to essentially own the foundational identity for its citizens and issue them a wallet that is also owns, I've got a fairly close system there. And the government might do that to enable access to private sector services. And this in a way is, is kind of what the EU is, is doing.

It's, it's kind of demanding that a wallet's is issued. I know there's private sector options there for the wallet to be issued by state, but it's very kind of top-down government approach in terms of, right, government wallet must be issued with the government pit in it. Setting aside what the EU is doing with regulation, what a P is, oh, sorry, P is a personally identifiable data that goes inside the wallet. So the EU is requiring each state to ensure a wallet is issued or issuable to its citizens. It leaves the options of how to do it.

So the government could do it itself, a contractor, a supplier to do it. It could create a marketplace of wallets, but the government must then ensure the bid, the person identifiable data is put inside that wallet as the trust anchor.

So that's that, that's that the way that EU constructs in the wallet, the EU is also writing regulations to say that that wallet must be accepted in for opening a bank account for transacting on a bank account, which I think we'll come back to later as a, it says authorization discussion, taking aside what the use doing to regulate all of that in a, in a more open market, if governments are creating wallets to prove that core identity banks have facilities for payment, are the two things that are gonna go in the same wallet, will they converge?

I can see in, in mid-market where you'll end up, yes, I've got a government ID in my government wallet and I can use that to prove how I am face-to-face and online, but now I need to pay, I need to jump to my other wallet, which comes to my bank. And it's not the same thing.

They haven't converged the technology underlying them might be very similar or the same, but actually I've got two constructs as you know, I may choose today, if I look at my files at home, when I start thinking about wallets, I start thinking not about the, the wallet that's in my pocket, but the way I file the elements of the rest of my life. And we keep talking about the digital wallet having everything in it.

So it's gonna have all of my digitized stuff, my education, my employment records, my my previous utility bills, my marriage certificates, my divorce certificates, my marriage certificate, my divorce certificate. I've, I've, I've only got the four by the way I'm working on it.

Yeah, we'll all be put in one place and I will choose to put them all in one place. I don't think I will because I don't, today I carry some stuff around in my wallet that is useful to me immediately and only what's necessary because there's a security risk if I lose it, I put other more important things in other wallets. So I think functionally we're gonna end it with people wanting wallets or, or wallet folders, you know, to, to put them in.

But I can see many places where they, you know, we've got different physical wallets and we haven't got convergence between banking in that case and identity. So there's something really strange and, and kind of fun about feeling like you're the curmudgeon on a panel, which I feel like I'm gonna be the curmudgeon on the panel a bit because I don't think that, I mean, I do agree that convergence isn't a great word, but more to the point, I don't think we know exactly what we're even talking about yet in order to, to start saying, all right, what would convergence look like?

How are we gonna put these things together? Because now wearing my my standards development hat, there's a lot of gaps in the standards for wallets, for authentication, for the policies to be able to get all of these things to inter-operate as one would hope. The concept of banking and being global and human jurisdictions and, and open internet.

I mean, these things don't line up particularly gracefully as every country has their own laws, their own requirements, their own assurance levels, and trying to make sure that all of that aligns internationally before we start saying, all right, let's get those APIs going. You know, I would actually prefer to up level a bit and say, well yes, but what are we agreeing to? And we don't have that yet. So until we get there, I'm concerned.

So I wasn't really expecting to step out of my moderator shoes quite this early, but I do want to share a little story which reflects very accurately and very, in a very pointed way, what Heather's talking about there. When we established the working group, which I co-chair and the Open ID Foundation, we had a long debate about what to call it, it's called the E K Y C and Identity Assurance working group. And the reason we have that and in the middle is we couldn't decide whether to call it the E K Y C working group or the Identity Assurance working group.

And that split is because the E K Y C bit is what banks call it and the identity assurance bit is what governments call it. And we couldn't resolve that argument. So I think that actually really illustrates the point quite clearly that there is some sort of divide there.

You've already jumped nicely into some of the challenges and you've Been a country, you know, so yes, absolutely this is, I wished the problem was just between countries, but for instance, in, you know, and I'm not going to name that country, but in a large group of countries, not too far from here, the, you know, you have a situation that you have a regulation for digital signatures and you have another regulation for aml and you can actually use digital signatures in order to satisfy the AML requirements, yet the requirements for the digital signatures and the AML are different, which makes no sense at all, right?

It's like one of those mc Escher drawings where something just doesn't really quite line up. So in order to satisfy the AML requirements, you can use a qualified electronic signature, but the requirements for qualified electronic signatures are in some cases vastly different than the requirements for m l. So just to add, you have that problem between countries and of course even more so between continents, but even the, the departments, the ministries within a country often cannot agree on, on what those rules and regulations should be. Awesome.

Well, moving away from maybe some of those vertical separations, are there any other challenges to converging these things? Which, which anybody'd like to draw out?

I'll, I'll jump into that one and I guess by now the audience can tell we're not here to give you a solution. We're identifying what these challenges are. One of them is, and I'm gonna start high in the identity world, we use the word authentication in the financial services world, we use the word K Y C, we use the word authentication, we use the word authorization, then we have notice and we have consent. And they're all different things and they are very clear and there are processes and legal structures and risk management all built around those things.

And they must be present in order for the risk management side of things to balance out properly in the identity world. It seems to me that authentication encompasses everything. And I'm not clear at this time. I think we need to really look at authentication and consider whether or not it needs to have similar breakouts in order to start to allow for similar risk management governance to come down into the identity side. Then we have one more big problem. And that is even if we, even within one region, let's take NIST and IT 863 4, and we look at the assurance levels for authentication.

1, 2, 3, let's say we all agree, 1, 2, 3 here, you know, these are the, these are the mechanisms underneath, we all understand what they are to be a level three. But we have, each of the providers has our own ability to implement under AAL AAL three in our own way, within our own platforms. And the schema at the granular level for that is different than on Microsoft than aca for instance. How then are we going to share across platforms when we have hops across providers, even if it's all a a L three and we have different schema between the providers. Do we have a security risk there?

Can we rely upon those assurance levels? We need to solve some of those really granular things even within one country, under one set of rules. Now expand that across regions between the US and the eu or even between the EU member states and their protocol between member states under the a r F. We have a really complex set of problems to deal with at a granular level, even though we all have a, a clear understanding of what those assurance levels should be.

Those, that's some real work that we need to start to do in the identity space. And I have a really strong suspicion the banks are going to say, go fish, go figure that out and then come to me and tell me that your authentication, I can accept your authentication and reduce my risk on or meet my risk requirements to provide financial services. If you have a bunch of standards and they don't actually allow interoperability, are they really standards?

So I am, I'm Austrian and we're here in Germany and there is a saying that Germany and Austria are separated by their common language, which is German, but so, you know, I fully agree with what you just said Juliana. And just one anecdote, you know, we, we founded the Open Wallet foundation with two major credit card schemes and in one of our first conversations it took me and Torsten half an hour to figure out that when they, in the credit card schemes talk about authorization, they mean something completely different than what we mean with authorization.

Because for us, authorization meant that a customer authorized, you know, the, the passing on of claims or, or, or scopes of course in the credit card world authorization means that you basically authorize a credit card transaction, which is not, you cannot authorize that transaction as a, as a card holder, you know, you're starting that, but you can never authorize it. It would be a real problem if you did.

So I think again, to make things worse, and sorry that this is a late panel that is not too uplifting, but to make things worse, sometimes we're not just using different vocabulary, but sometimes we're using the same exact words to mean very different things and that's clearly not not helpful. So I think some of the convergence that hopefully is happening is that we can agree on calling, you know, the same thing by the same name.

Maybe you shake your, your, your head, you don't want to have the same names or Oh, Want to Sure, but I'm, I'm with John, I not in my lifetime, I don't think You're replying logic, I think to to you're, You're Really uplifting, at least the audience here is uplifting To maybe to try and uplift us a bit. We're it's not, it's not all, it's not that we're all is lost.

So we are, so Mark referred to O IDC for identity assurance and in there at the moment you can describe the, the way the what GI was talking about the I A L one, two or three and you can describe the different components that we use to to put that together. And at O X we're working on, well how do we break down different approaches to proofing around the globe? So in the US you've got I 1, 2, 3, Europe's got medium substantial, high, UK's got medium, no hasn't UK's got low substantial high, UK's got low, medium high. Some countries have got, you know, up to seven different levels of assurance.

What we're doing is unraveling how that works and actually they all do the same things in the same way and it can all be described using our IDC for ID eight. So that's a massive first step. We we're starting to understand the process and we can describe the result that's just the proofing bit.

Again, as you and I were saying, knowing the proofing is one element, the how the binding happened to the individual and the authenticators use is another one. What did the user consent, what notices were they given? So all of these extra policy elements also need to be able to be recorded and communicated in a standard way. And we're currently analyzing at the oex eight different trust frameworks and looking at their general policies which include things like consent and things like liability and working out. Can we normalize those in a way that can be described?

Not in a way that means everyone moves to the same framework and policies because they will not and should not. Countries have different policies for different reasons, they have different cultures, they have different, different political leadership, they have different approaches to identity. We're never going to normalize country policy, but can we communicate it in a standard way? So can we identify that for consent?

There are essentially six or seven ways of doing it and when we've categorized what they are, each country can then say, well I do consent like this and if the other country where I'm now trying to use my ID or present that information recognizes that and maybe just recognizes that it's different, but essentially a substantially does the same thing and they're happy with it, then that consent statement can be interoperable. Now we're only just at the start of exploring this. Rachel's helping us with the work. Thank you Rachel.

In terms of understanding those policies, once we've got the eight frameworks together and that's US, uk, I'm start with no fingers, us, uk, eu bank id, Sweden is is helping us out. Moip Singapore, where we got to Thailand is one just joining and I've missed one. There are definitely eight. It's like Name in the seven drawers. You always miss one. It Is. I've got to seven, I've missed, I've missed one. I do apologize to the framework I've missed Canada.

Yes, Canada. There you go.

Hey, so sorry, I knew this was the most important one I've missed. Yeah, once we finish analyzing all of those, we'll take a step back.

Okay, what, what have we got? Can we distill out a set of characteristics that are meaningful to all frameworks? Can we normalize some of them and can we have that discussion around now, understanding each other's policies and maybe turning this into something systemic that we can extend the work that Mark and team have already done. O idf not just to talk about the verification element for the person, but also all the other policy elements as well.

Again, we're at the start of this, I'll talk more about it a keynote tomorrow, it's part of the work we're doing on gain, but yeah, so there is, try try to uplifters a bit. There is, there is. We are trying to do something about this. Ask us a cheerful question mark, What's your favorite color?

Okay, so we've had a really nice chat about, you know, a wallet architecture hypothetically, maybe something similar to what the A R F'S doing. You know, we've talked about various standards. I think it's really interesting. Sure reflect, there's been very little mention of technical standards here. I would say, I think more or less all of you have talked about things in the policy domain and I think, you know, we've partly because we have a bunch of amazing engineers out there building the technical bits quite aggressively.

I don't mean in a bad way of course, just like pushing right forward and delivering those things. But maybe the thing that we need to highlight is that those policy domain standards and normalization of standards to allow cross communication are really important efforts as well.

So yeah, O I X is a great place to go and have those policy discussions and I'm sure Heather can point us in the direction. We could probably do a shout out to Cantara seeing us. They're in the room too.

Oh, if you wanna talk technical standards in this space, I, I would actually move away from the the geopolitical geopolitical boundaries of what's happening, you know, in the A R F with EU or what's happening in NIST or things like that. I would absolutely send folks to, if you need something that's that's supported by treaty, go to iso, I'm sure that there's work happening there. If you need something that's a bit more open in terms of participation, investigate what's happening at the i f and if there isn't a group then propose one. I would not go to the W three C.

That doesn't make any sense whatsoever. And then of course the Open ID foundation would be a really solid place. CONTAR is not a place to take technical standards. But for all of this, I think open ID foundation would be solid. One thing I would love to know, I would really love to know is where to standardize what's a wallet. Yeah.

And the beautiful thing is that technically we have of course completely sorted it out because there is only one credential format, there is only one protocol to, no, so of course not, it's probably as as bad or, or even worse, you know, you have ISO MDL and SD jots in the airf that you mentioned and you have, you know, Aries and Hyperledger, which is used in in Canada. The Department of Homeland Security is not ideally coordinated potentially with the Treasury Department. They have slightly different ideas when it comes to wallets within the United States of America.

And you know, there are different member states in the European Union that are all going to follow the A R F, but they're have very, you know, they read the same text but they understand very different things. And you know, I think the, the trick is going to be on the one hand to be inclusive. So what we're trying to do at the Open Wallet Foundation is basically, you know, we disappointed a lot of people who said, oh finally someone comes along and what is the reference architecture that we can use globally?

And we said, well, you know, how can we come up with something that can be used in Europe and in Canada and in the United States and in in India we can't. So basically what we're trying to say is let's create building blocks, great building blocks that you can use. So if you want to have a wallet, publish a wallet that works in Europe, you can use the building blocks for that. And if you want your wallet to be used in Canada, you use different building blocks. And if you want it to be used in both, well hopefully you will be able to use building blocks for both.

So in a way, what you see here, I think both with OOI X and the Open Wallet Foundation is that, you know, we're recognizing that what we really want ideally, which is probably something that says, you know, here are the three trust levels for this planet. So that if you share information from Japan to Switzerland, we know exactly what that information is, we know exactly what it means. Since we can't get there, the next best thing is probably to say, well let's look at everything that is out there and compare it and make it a little more interoperable that way.

And we're trying to do the same thing of basically saying, there are a lot of standards, let's make, let's at least create great reference implementations that you can use. And over time, hopefully build trust to get to something a little more interoperable. There is one body of work that sits quite independently that is not prescriptive, but does provide some fairly strong guidance that was just released by Diac for the digital wallet component.

It is independent, as I mentioned, not prescriptive of stack or protocol, but what it's attempting to do is define a wallet and define the conformance criteria for a wallet. It also includes a risk register for a wallet, things to watch out for. And it does associate those both risks as well as conformance criteria with assurance levels that align with nist.

It also factors in the other area that is of of, you know, a passion project of mine, which is security and ensuring that no matter what we do on the interoperability side, the protocol side, that the wallets are steeped in best practices for security, not just on mobile phones, but whether they incorporate hyd hybrid models or whether data is stored elsewhere outside of the wallet. That we have best practices, elevated security postures always at all times. And there's an opportunity to audit that on an ongoing basis.

And I'll add to that, that we just, or I just did a task that was not fun but necessary was to, to take the PCI version four for payment, protecting payment card information, which is literally identity and payment and map it to and provide guidance for Azure, for Microsoft and make that in a consumable way so that clouds, so that anybody who wants to look to how can I, how can I conform, how can I provide a high level of security under pci or even if you wanna look at it from an identity perspective within a cloud, it's very clear guidance for that in a very consumable way.

Is that publicly available by any chance? It is, it is. Awesome. So some great views there. I think I to responding to next question earlier, which is can I ask a better, more uplifting question? At the end of the day, I'm going to wave my magic wand and say we've fixed all of these concerns and issues and risks and all of that good sort of stuff. What are we actually delivering here? What's going to come out of the end of this machine and deliver to organizations that need to consume identity and payments to deliver on their business imperatives? Did we plan on that question?

That's a hard question, isn't it? It is.

We did, we did talk about that question, Heather, talk about that, Didn't we? That's the uplifting question. This is the uplifting answer. Uplifting answer.

I mean, what's gonna come out of it is, I would hope is a world where there's actually interoperability in multiple dimensions where it's not just a, I am compliant with this and therefore I can work with my client, you know, or my government or something like that. I want something where not only can you do that, but then you can also work across with other banks, other organizations, you know how, however they're vetted because of course they would be vetted because everything is perfect now, right?

So I, I see a level of interoperability that we're, we're not at yet. I was earlier this year in Hong Kong and I am an Austrian citizen as I said, but I live in Switzerland, so I have a Swiss driver's license and you know, I'm able to use an Austrian passport as someone who lives in Switzerland at the border to enter Hong Kong and then rent the car with my Swiss passport. So I think what we want is really clear.

We don't, at the very least, not to make a step backwards, we don't want to live in a digital world that for some reason is unable to deliver what every one of us is taking for granted when we, when we travel. So I think the mission is clear, we need different use cases and different countries to become, as you said, interoperable.

And the, I think at the end of the day, this is not going to be a technical problem and it's not going to be a legal problem, it's a problem of people. It's a, it's a question of, you know, can people come together and say that this need outweighs all of the legal concerns and the safety concerns and the concerns for your own sovereignty, that you want to be the master of these rules and you don't want to work with anyone else. And collectively, I think this is the task we all face And we talk a lot about smart wallets at, at the open identity exchange and smart digital ID in general.

And where we've gotta end up is the ID or the wallet, the service that's helping the user through this has got to work on behalf of the user and it's got to help the user through processes without the user necessarily having to understand, you know, what those processes are. We don't, we were talking about covid, you know, processes and to prove that you are covid safe, you know, you could do that with a vaccine, you could do that with a proof of test, you could that with the proof of having had covid recently. How do you bring those two things together?

How do you do that anonymously without disclosing which method you actually had? Because that's a, that's a private matter. The users shouldn't have to be worried about all of this.

The, the service, the wallet that should help them through it, through it. And if that means, you know, we do end it with separate wallets and I've got one wallet for some things and one wallet for another, it would be great if they communicated.

So I, if the, the ask comes into me for some information, I go to my wallet to provide it and I say, oh great, you've got your driving license in here, but you haven't got the payment instrument. And I might say, yeah, well jump to that other wallet and I'll give you the payment instrument from there. And it all happens in one transaction still without me having to, to faff about and close the wallet down and go and find the other wallet. You know, some deep linking between wallets might be necessary if we don't get conversions into a single wallet.

And picking up on racial session earlier, some of the, the early implementations of wallets have, have clearly been quite standard based and, and, and, and tech-centric, which is, which is what you see when these things start. We've got to leap beyond that. I was thinking my my daughter's a UX designer and, and assessor, I think she would love your presentation. She was like, yeah, like yeah, these are all the kind of nastiness that I find every day. We've got to make sure we, we think and plan for that and, and deliver smart wallets.

I'm, I'm gonna take a different perspective. I agree with e what everyone's saying, but I'm gonna add a, a dose of reality from the old implementer in the room.

And, and that is we don't have an identity problem, we have too much identity problem, it's everywhere. So we have, what's a verifiability problem right now? Can we claw it back and prove you are you every single time?

Two, we have an economic problem, we all know it, it's the elephant always in the room. It's why we're all here to try and solve many of these things. So with those two priorities in mind, can we keep it simple? Like there's a lot of things we can do, but can we keep it simple and focus in as a community and come together to solve those two fundamental issues in as simple way as possible? And can we do it soon?

We don't have to boil the ocean, we don't have to solve all of these problems all at once, but can we do that together as a community and start, really start on a solid footing that's standards based that leads us to all of these potentials we're talking about, but we gotta start doing it now and we are all here and we can do we have the right minds in the room. In fact, we have probably more than enough minds in the room to be able to start figuring out what, what our first initial steps are to solve the verifiability issue and our economic issue.

That, that would be my call to action. And I was just gonna say, I think that's a great call to action. Thank you Juliana. What a way to finish the panel for now. I I just want now to, we've got about 10 minutes left and I wanted to open up the floor to the audience and see if there's any topics you guys want to delve into in any more depth. There Are several questions asked online, so maybe we can start with one of them and then perhaps if anyone has a question we can proceed.

The first que the first question is, if it's difficult to implement a wallet or a solution across different governments and countries, could the United Nations play a role? So the, the, the United Nations has some un unci, I'm never quite sure how to pronounce that model law on trust framework interoperability.

So, and one of the things we've been doing in looking at our exchange framework is making sure that we can meet all different parts of, of that model law. So it's, it's, it has recognized that people have different policies and it has put a model law in place as to how two parties might bilaterally draw up an agreement for exchange. So the UN has has done a little bit there, but yeah, that's, that's at a policy level and it's a, it's a tool. It's not a, you know, it's not a law in itself.

So yeah, I I can't see that the un actually doing a, a global wallet. It's very much a commercial concern.

I, I personally think government shouldn't do wallets. Are we talking about that tomorrow morning?

You know, my government doesn't provide my wallet today. It provides a lot of the credentials I put in my wallet and store away, but it doesn't provide me with the management facilities. I don't think that's government's role and therefore I certainly don't think it's the UN's role. And you know, there is Eko as well, which does a fantastic job with your, with the passports that you all carry.

You know, that's the reason why you can enter China. So I think that's exactly the mindset that we need in terms of interoperability and, and we need it fundamentally not just with the people we agree with, but we need it with the people we don't agree with as well. So even if, you know, I don't like the policies of your prime minister or your president, I think we do want to live in a world where, you know, your credentials allow you to enter my country and vice versa.

Just thinking of NA's presentation earlier and the inclusivity domain, we do need to remember that some passports are more equal than others, right? My passport gets me to lots of countries, but there's plenty of people out there who have passports that don't. So there's a kind of another policy dimension to it, Right?

I'm actually on the board funnily enough of a company called Henley and partner and I can shamelessly plug them if you want to understand the power of your passport, look at the, you know, economist ATA Henley passport index and they're ranking passports, you know, based on how many countries you can actually travel to. We have several questions online, but if anyone wants to ask a question now. Okay. Speaker 10 00:46:48 Hi, Phillip Hoya the identity business for a few decades now.

So I think one thing that you haven't addressed and, and which I think is maybe the biggest problem that we have is, let's call it the C square problem, which is the Cupertino culture problem. Unless these guys decide that this is something that we need to solve, you're not gonna run it in a wallet on that platform. And that's a platform that everyone has because you need to run the wallets on that platform.

So Yeah, I think it is, you know, both a challenge and an opportunity. So the fact that you have two global operating system winners is something that could help with standardization. But as Ned said in his presentation, yeah, but Speaker 10 00:47:38 You don't look at the wallets on on Android, you don't, you, you see it with the interoperability issues with the fight between Samsung Pay and Google Pay.

You don't, you only have one winner at the moment Of, but I do, I mean, you know, I as driver's licenses become digital, I think they will become digital and Android as well. It's, it's hard to see that, you know, people will not use Android phones for mobile driver's licenses I think. Sure. Speaker 10 00:48:03 And, but yes, Long Speaker 10 00:48:05 Time to get there, as you know. And it's only one success story that we have, right? Passports and drivers license At this moment in time. The other side of it is that it's not, does not provide equitable access.

So if you're a government issuing IDs or are contemplating issuing IDs to your citizens, you need to be, your mandate is to provide access to all of your citizens. And that one very incredible wallet, I'm not gonna deny that does not do that. It does not meet the requirements of those governments for their constituents. They need other solutions to meet their mandates right now I would, I would add one other thing and that's being, being a US citizen and having lived there for 52 years, I have every faith in the world that it is a very capitalist society that loves to sue things.

And w part of the, part of the, what came out of the white paper that just came out last week was looking at some of the different states and how different states have, you know, this one's preferred Apple and this one's preferred Google and they are setting themselves up for some fantastic government intervention because if you, if within the US you can't actually use a mobile driver's license from one state to the next to the next to the next.

They, I mean I would like to say we're going to avoid that because the driver's license isn't the problem but that, but what it's in might very well be. And if that's not going to, if people are gonna get locked in in that way and then not be able to use it across borders within the country, the government's going to get very frustrated. Speaker 11 00:50:00 Hi, my name is Christian. I'm just wondering if there's something similar happened before. You have talked about passports like globally accepted, we have the iban.

Is there something you can say which is in a timely fashion similar than what you accept, expect for like adoption rate and stuff for what you, we plan here? Yeah, I think it depends how you define timely, but one good analogy might be the credit card industry.

You know, the visa started as bank Americ card, which as the name suggests was you know, a product of Bank of America. And then of course it became clear that it would be the, you know, the appeal would increase if several banks would cooperate and then you know it, so it became from a one bank thing, a US thing. And then obviously we know the rest of the story.

I, I have high hopes that when you talk to policy makers at the European Commission as well as at the Department of Homeland Security or the provinces in Canada, that people are aware of the problem. And you know, as this panel probably made abundantly clear, it is not going to be a walk in the park neither on, on the policy side, nor on the technical side. But we need to get going, right?

It's, it, it's something that we can simply not afford not to tackle it and leave it up to one fruit company in Cupertino, California or, or you know, not figuring this out. Speaker 11 00:51:34 And Phil, maybe second question.

When we see like what happened with crypto and like the fast global adoption like cross-country bottom up and then the crypto regulation now like getting up and running is just something where you think, okay, we have like global similar crypto regulation, which is like indicating that there's already like an idea of what's a digital wallet, what's, what should be traceable, what should be like binding to a natural person and stuff. So it's just something which is like a first step in a similar domain but like maybe flowing over in in in what we are discussing here.

Yes, I think so. I think you can, you can look to EIDS as regulation coming down in the A R F as an indicator of that you can look to the US with the Chips and Sciences Act and NIST with their new IAM road roadmap, which are really examples of them accelerating that effort. I think we have such a social economic risk right now a sig such a severe one that we are seeing action from regulators and I think it's going to continue. I see I also see some incredible collaboration between countries to try and align and, and I think they'll do a great job, to be honest.

It's interesting, I think we're seeing parallel with crypto is that someone creates a great idea there, it's completely unregulated and so the regulators weighed in to regulate it. What we're seeing here is something quite interesting is what we're seeing is a great concept. It's not really out there, it's out there in little bits and the regulators are trying to now write complete ecosystem solutions and policy frameworks to solve the problem before you know, the technology and the commercial policy has matured around that.

So we've got almost regulation in many cases running ahead of where it normally would because it's not regulating a market that's already matured. So that's that, that can be very helpful in terms of market making conditions. But it also means it could get it badly wrong up front because it hasn't allowed the market to actually form and mature a bit before it then steps into regulate. So I think there is a danger of that and there's a danger in sort of what the EU is doing in stepping a bit too far to try and achieve interoperability, you know, without less in the market develop itself.

So I agree with the, the argument there will be more regulation. The no part is in Europe for instance we have AML five and AML six, but when you open a bank account in different countries in Europe, the hurdles are very, very different even within AML five and AML six. So I think you'll see some of that happening here as well. That you know, there will be more regulations but then different countries will even interpret the same regulations somewhat differently.

And probably in some cases a race to the bottom, you know, that it makes sense to incorporate a company in Delaware or it makes sense to have a banking license in Luxembourg. So we have a menace and a half left. John's got the mic I think. Well then very quickly, where is interoperability a bad idea or where should friction be inserted?

Cuz it, you almost take as axiomatic that frictionless is good, although not on a ski slope and that interoperability is inherently good. And I just challenge your presumption. Where would interoperability, where does it need friction and difficulty and why?

Well, hey, now interoperability and inserting controls are not mutually exclusive components. So, you know, I want it to be interoperable. I I will strongly maintain that that has to be part of the standards development in all directions. Now whether introducing friction into it makes sense in a given circumstance. In some circumstances, yes, in some circumstances no, and that's fine. That's absolutely fine. And as it should be.

So I, I wouldn't wanna make it quite that either or. I think Juliana wants to dive in.

Yeah, I'm gonna, I'm gonna jump in there. I think that friction is good in certain places and that, and depending on where it is and when it is, so, you know, I talked about a verifiability problem, we have it worldwide universal. So that's a good place to apply some friction on that. Whether you call it kyc, identity proofing.

Let's, let's align on that and what the assurance levels are for that and put the key criteria in that and try and make them common and put the friction there. I think we all expect it. I wouldn't trust it if it weren't there. But the timing of it, please don't put it in front of when I'm trying to do a transaction, please put it in a place that's logical for me that where I have the time I can take the care and we can do a good job on that verification, but that we can also reuse it, that we don't do it again and again and again. Which I think creates security gaps.

Let's do it right, do it the hard way, end the right way first and establish that trust anchor in that verified credential, whatever you want to call it, whatever method you're using. And then we have the opportunity to become more frictionless in our regular transactions that need to be subsecond that don't, that now can rely on that strong identity proofing process. And I would say there is, I would add one point where I think even in the transaction itself, there should be friction, which is the consent.

So I think if you want informed consent, this is one area where you really want to tell, you know, human beings take a moment, stop, understand what you're doing because even if you have the most amazing frameworks and you have the most amazing protocols, if I am just, you know, mindlessly giving consent to my wallet, my agent, whatever, to share something, it is all for not. So this is definitely an area where I believe friction is really vital.

Yeah, and I'll add to that. There's, there's, oh sorry, there's this thing that happens. I've tried it, we've built things like this and then had them tested. If it's too frictionless, people don't trust it, they don't know what the heck just happened. Did that happen? Did it not happen?

So having, providing, building in or fact dinging in an awareness of state for the user at all times so they know what just happened or didn't happen. Did it go through, did it not that I think is not friction, but it is that awareness builds confidence and trust in that particular interaction. And we need, we need to be be aware friction by ROS as well, which is what we all see by with cookies. Yeah.

You know we so yeah, except, except we see with confirmation of payee, which is before we make push payments in the uk, now we have to go through these steps and there's an acknowledgement step with a set of warnings and just click bang straight through. You never read it. So we need to be aware of that as well cause it's pointless and Another thing. Right. Thank you Heather. So I think you guys did really well. That was a tough topic to cover. I think you've done a really nice job of delving into some of the areas that are gonna give us challenge.

I do want to ask the audience to chip in where you think you can to help solve these problems and the various organizations here would be good places to start that conversation. So if you wouldn't mind putting your hands together, thank the panel for a, a really good talk.

Yes, thanks. Thanks for sticking with us and thanks to KuppingerCole as well. Of course. Thank you.